MDR Managed Detection and Response

On this Tech Tuesday episode, Roger Walton talks with John Maher about Managed Detection and Response (MDR). He explains how MDR protects companies, and he talks about the MDR services provided by PCG.

Portsmouth Computer Group · MDR – Managed Detection and Response

John Maher: Welcome to Tech Tuesday brought to you by PCG, a managed services and security provider in Portsmouth, New Hampshire. I’m John Maher and with me today from PCG is Roger Walton. Welcome, Roger.

Roger Walton: Hi, John. Great to be with you today.

What Is Managed Detection and Response?

John: Thanks. So Roger, today we’re talking about MDR or managed detection and response. What is managed detection and response?

Roger: A MDR is a service that monitors a business’ IT environment. And what it’s doing is, it’s looking for indications of a potential security issue. And then should it find a security issue, it responds to each issue by some form of remediation depending on exactly what the issue is.

How Does MDR Detect Potential Cyber Attacks?

John: Okay. And how does it detect potential cyber-attacks?

Roger: There’s really a couple of different parts of the system. One, is that many of the systems in the IT environments are actually logging events through time. Servers do that, workstations do that, firewalls do that, your Office 365 service does that, and so on.

One thing it does is, it collects and views all the logs that are generated by these systems. The second thing it does is, we add additional agents or software programs to certain of the devices, to servers and sometimes to the workstations, and they can look for additional information. So that’s where the information comes from.

And then to kind of collect and manage and help to analyze and correlate that information, we use a thing called SIEM. SIEM stands for security information and event management, that’s a system that gathers all of this data, helps organize it, helps get a head start on the analysis, helps correlate across sort of similar things happening in different parts, in the ecosystem. Those are kind of the core things that we use in order to actually capture the events as they’re happening.

What Happens When MDR Detects a Threat?

John: Right. So once that happens and the MDR detects a threat, how does it then respond? What’s the next step?

Roger: The next step is to understand what type of event you’re looking at. A human gets involved at some point, because the first thing we want to do is to make sure that it’s not a false positive, that it’s not just an intentional upgrade of a system that’s going on and that we knew all about but the security monitoring system didn’t know about. So that’s usually one of the things that’s done quickly.

The other thing to say is that the system never waits around if that information is not immediately available. Because cyber-attacks can happen very quickly and a response has to happen very quickly. So assuming that there’s no immediate indication that it’s a false positive, then it’s all about stopping whatever the attack is.

And in some cases, there’s a process that can be killed. In some cases, there’s a process that can be blocked. Sometimes you can quarantine, if there’s an operation that’s going on at a workstation, you can quarantine that. So you don’t actually destroy anything, but you just stop it from infecting any of the systems around it. But if you can’t do any of those things, the next step is just to disconnect the device from the network until you can be absolutely sure you don’t have anything that’s dangerous going on.

So, once you’ve sort of killed the immediate process, the next step is containment. With this, you’re trying to make sure that whatever got your first workstation, can’t suddenly spread and create a similar effect to all of your other workstations. So that’s kind of the second thing that happens.

Once you’ve stopped the process, and once you’ve contained and protected your environment, now you can breathe a little bit more easily. But the work is only partly done because we still have to go on and we have to investigate. We have to determine what was the source of the problem. Were there weaknesses in our protection that need to be addressed and so on. We need to classify it so that we can track it. Track things like that over time, and we need to report it. So those are all things that the service does for us.

Dealing With False Positives With MDR

John: So, you mentioned getting false positives if you’re doing maybe a scheduled upgrade or something like that. Is there a way to tell the managed detection and response system ahead of time that at this time, on this date, we’re going to be making these changes? So don’t come back and tell us that there’s something wrong? Or is that just something that when you see that response from the MDR, you’ll just ignore it?

Roger: Yeah, we certainly do that. There’s a process called whitelisting, where you indicate the sorts of things that might happen, that you know that are going to happen, and that you know are going to be generating a false positive. But you generally can’t be sure that that has been done completely enough in every case. And that’s why being aware of false positives is kind of important.

Are MDR Services New?

John: And are MDR services a recent innovation, or is it something that’s been around for a while?

Roger: The MDR service in the form that they exist today are relatively new, but the things that they’re doing, large enterprises have done for at least the last decade and very security-sensitive organizations have done for a longer period than that. But like all things that involve cyber-crime, the targets have got smaller and smaller.

Whereas in the past, most small or medium-size businesses didn’t have to worry too much unless they managed gazillions of dollars in money or something like that. Now, because of new developments like ransomware as a service, relatively small criminals can go after relatively small organizations. And so it’s come down to now smaller organizations have to worry and they clearly don’t have the capabilities in their own staff. They don’t have security personnel to be able to run these kinds of services. And that’s why an MDR service has really developed to provide these capabilities to a smaller organization.

Who Needs MDR Services?

John: So who is it that needs an MDR service here in 2022? Is it all companies? It sounds like it used to be just larger companies, but now probably smaller companies as well need it. Is that the case?

Roger: Yeah. So, if you’re a single person company and you have one workstation, what you really need to do is to protect that workstation. And this wouldn’t be for you. But if you have even more than a handful of workstations, if you have any kind of a data center with a server or multiple servers, then you’re in the range where it’s really valuable to be monitoring your system from multiple points.

Part of the reason for that is that cyber-attacks have become more sophisticated. It used to be that they would always just try and get into the system from the outside, so you really worried about protecting the perimeter of the system. So, beyond that, they would attack one workstation or one server at a time. And so you worry about the antivirus software and the endpoint text and respond, which is really protecting one workstation, one computer at a time.

But now we see much more sophisticated attacks where the criminals will try and go in small steps, each of which independently, don’t look unusual. So they will try and send a completely innocuous file as an email attachment to one person. And then what that will do is provoke what’s called a lateral attack, which will actually try and move into somewhere else in the environment. So if you’re only looking at things one workstation at a time, you’re going to miss those kinds of attacks. And it’s really that level of sophistication that’s made MDR critical, even for relatively small environments.

How Do You Select a MDR Service?

John: Okay. And in terms of selecting an MDR service, what are some of the most important considerations for a company?

Roger: It’s really a couple of things that I would mention. One is that as a small business, you don’t have much cybersecurity expertise. It’s not just about detecting and blocking particular attacks. It’s about making sure that your business is protected going forwards. That you understand the investments that you need to make over time as attack methods and techniques change over time.

As a small business, you should be looking at someone that’s going to be your advisor, rather than just provide a commoditized service, if you like. So that’s one. Something else I would mention that’s absolutely critical is that the services are running 7 by 24 by 365, because if cyber criminals take time off, it’s certainly not when we take time off. That’s the time where they’re most active. So those are a couple of considerations.

What MDR Services Does PCG Provide?

John: And can you talk to me a little bit specifically about PCG’s MDR offering and maybe how that differs from some other MDR offerings that are out there?

Roger: Yeah. What we have set out to do is provide a comprehensive offering for a small to medium size business. The security event monitoring is at the core of that. We talked about the various technologies that we use to do that. We also do vulnerability scanning. We have software systems that on a regular basis will test your defenses. We do some vulnerability scanning from the inside, as well as the outside, to make sure that if someone does get through, then we know if there’s anything inside the environment that would need additional protection.

When an incident does occur, then we lead you through the incident response. And we talked about all the different components that might be involved in that. We subscribe to threat databases so that we know about the latest threats that are out there, so that we’re not surprised, and we know how to handle them when things actually happen.

We maintain logs, an audit trail, of all the security related things that happen. So that if you suddenly become aware that you lost some information, three weeks ago, we can look and see if there was anything that we missed at the time that may pertain to that. The other really important thing is that each client is going to have a senior security engineer, who is their sort of security advisor.

And what we are typically doing is, we’re meeting with each of our security clients on a quarterly basis, going through what we’ve seen over the last three months. What have we learned? Either frrom things that have happened in the environment, things we’ve seen in that particular network, about maybe some additional steps that they should be taking, thinking about in terms of processes, in terms of protection devices, in terms of training. So, it’s really, it’s like having your own security department to help keep you and your environment and your people and your business safe.

John: Yeah. And it really sounds like it’s a super important service these days. With all of the cyber security risks that are out there, and these cyber criminals that are out there. And like you said, going after smaller and smaller companies, you’re not safe. If you think like, “Oh, I’m not a big, huge company. So this really doesn’t affect me.” It’s really affecting everybody now. So it’s a really super important tool and service.

Roger: You’re absolutely right, John. The environment has just changed enormously and things that most small businesses could safely ignore, they just can’t afford to anymore. And there are just unfortunately, so many businesses out there that are able to testify to that.

Contact PCG to Talk About MDR Today

John: All right. Well, that’s really great information, Roger. Thanks again for speaking with me today.

Roger: Been a pleasure.

John: And for more information, you can visit the PCG website at or call (603) 431-4121.